Описание
jruby-openssl gem for JRuby fails to do proper certificate validation
A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2009-4123
- https://github.com/advisories/GHSA-xgv7-pqqh-h2w9
- https://github.com/jruby/jruby-openssl
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2009-4123.yml
- https://web.archive.org/web/20101213091125/http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl
- http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl
Пакеты
Наименование
jruby-openssl
rubygems
Затронутые версииВерсия исправления
< 0.6
0.6
Связанные уязвимости
CVSS3: 7.5
nvd
около 2 лет назад
The jruby-openssl gem before 0.6 for JRuby mishandles SSL certificate validation.